Hi, I came across the changes to the credential matching and wondered about the recommendations for generating the salt for passwords. The Javadoc suggests storing the salt along with the credentials, but doesn't this defeat the purpose somewhat? If an attacker has gained access to the hashed passwords, wouldn't they also have access to the salts? Hence they can still use dictionary attacks. Am I missing something here?
Thanks, Peter -- Peter Ledbrook Grails Advocate SpringSource - A Division of VMware
